LiteLLM / LiteLLM

LiteLLM Supply Chain Compromise Incident — Install Poisoned Versions

Determine if a project installed compromised LiteLLM versions and clean the installation; scan GitLab CI/CD jobs and GitHub Actions for affected deployments Includes evidence for LiteLLM troubleshooting demand.

Source-backed Last updated June 2, 2026 3 sources Needs local verification

Category: LiteLLM
Error signature: LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains
Quick fix: Check the build output, project root, and deployment platform configuration before redeploying.
Updated: June 2, 2026
Verification status: Source-backed
Evidence: 3 public source URLs

Before you change production

This page includes public source URLs in the imported troubleshooting record. Compare those references with your version and environment before applying changes.

Reproduce the smallest failing action and save non-secret logs before changing configuration.
Check versions for LiteLLM, related SDKs, package managers, CI runners, and hosting providers.
Change one setting or dependency at a time, then rerun the same failing command or request.
Avoid destructive commands, credential rotation, billing changes, or security relaxations without a rollback plan.

What this error means

LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains is a LiteLLM failure pattern reported for developers trying to determine if a project installed compromised litellm versions and clean the installation; scan gitlab ci/cd jobs and github actions for affected deployments. Based on the imported evidence, treat this as a tool-specific troubleshooting page rather than a generic API error.

Why this happens

Critical security incident reported March 27, 2026. BerriAI (LiteLLM maintainer) disclosed a suspected supply chain attack. Versions 1.82.7 and 1.82.8 were poisoned and contacted checkmarx.zone. Clean version v1.83.0 released via new CI/CD v2 pipeline. Security scanners provided for GitLab and GitHub. CVE-2026-42208 (pre-auth SQL injection) and CVE-2026-30623 (MCP command injection) also discovered. High commercial value because LiteLLM is a widely-used AI gateway proxy serving as the front door to 100+ LLM providers for enterprises. Category mapping: LiteLLM → LiteLLM (direct match). This is a unique security-event-driven error that would be extremely valuable for dev-error-db coverage.

Common causes

Critical security incident reported March 27, 2026. BerriAI (LiteLLM maintainer) disclosed a suspected supply chain attack. Versions 1.82.7 and 1.82.8 were poisoned and contacted checkmarx.zone. Clean version v1.83.0 released via new CI/CD v2 pipeline. Security scanners provided for GitLab and GitHub. CVE-2026-42208 (pre-auth SQL injection) and CVE-2026-30623 (MCP command injection) also discovered. High commercial value because LiteLLM is a widely-used AI gateway proxy serving as the front door to 100+ LLM providers for enterprises. Category mapping: LiteLLM → LiteLLM (direct match). This is a unique security-event-driven error that would be extremely valuable for dev-error-db coverage.

Quick fixes

Confirm the exact error signature matches LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains.
Check the LiteLLM account, local tool state, and provider configuration involved in the failing workflow.
Check the build output, project root, and deployment platform configuration before redeploying.

Platform/tool-specific checks

Verify the command, editor, extension, or API client that produced the error.
Compare local settings with CI, deployment, or editor-level settings when the error appears in only one environment.
Avoid deleting credentials, local model data, or project settings until the failing scope is clear.

Step-by-step troubleshooting

Capture the exact error message and the command, editor action, or request that triggered it.
Check whether the failure is account/auth, quota/rate, model/provider, local runtime, or deployment configuration.
Review the source evidence below and compare it with your environment.
Apply one change at a time and rerun the smallest failing action.
Keep the working fix documented for the team or deployment environment.

How to prevent it

Keep provider/tool configuration documented.
Record non-secret diagnostics such as tool version, provider name, model name, and command path.
Add a lightweight check before CI or production workflows depend on the tool.

Diagnostic flow for this page

Match LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains exactly before applying the quick fix.
Compare the failing environment with LiteLLM versions, account scope, provider settings, and deployment context.
Check the listed common causes in order, starting with the cause that best matches your logs.
Use the evidence status below to decide whether to confirm against public sources or official documentation.
Apply one reversible change, rerun the smallest failing action, and keep rollback notes.

FAQ

What does LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains mean in LiteLLM?

LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains indicates the workflow described by "LiteLLM Supply Chain Compromise Incident — Install Poisoned Versions" failed in a LiteLLM context. Start by confirming the exact signature and the component that emitted it.

What should I check first for LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains?

Check whether this cause matches your environment: Critical security incident reported March 27, 2026. BerriAI (LiteLLM maintainer) disclosed a suspected supply chain attack. Versions 1.82.7 and 1.82.8 were poisoned and contacted checkmarx.zone. Clean version v1.83.0 released via new CI/CD v2 pipeline. Security scanners provided for GitLab and GitHub. CVE-2026-42208 (pre-auth SQL injection) and CVE-2026-30623 (MCP command injection) also discovered. High commercial value because LiteLLM is a widely-used AI gateway proxy serving as the front door to 100+ LLM providers for enterprises. Category mapping: LiteLLM → LiteLLM (direct match). This is a unique security-event-driven error that would be extremely valuable for dev-error-db coverage.

Is the LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains guidance source-backed?

The "LiteLLM Supply Chain Compromise Incident — Install Poisoned Versions" page is labeled source-backed. It has 3 public source URLs from docs.litellm.ai, bishopfox.com, reddit.com, so use that evidence status when deciding how much additional verification you need.

When should I avoid the quick fix for LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains?

For "LiteLLM Supply Chain Compromise Incident — Install Poisoned Versions", avoid applying "Check the build output, project root, and deployment platform configuration before redeploying." when the error text differs, the affected version or provider is different, or the change would touch credentials, billing, DNS, production deploy settings, or irreversible data.

What should I collect before debugging LiteLLM package compromised — versions 1.82.7 and 1.82.8 contain malicious code contacting external C2 domains?

For "LiteLLM Supply Chain Compromise Incident — Install Poisoned Versions", collect the failing LiteLLM command or request, non-secret configuration, versions, timestamps, request IDs when available, and the smallest reproduction that still triggers the signature.